Building on 2005

The proposed updates remain closely aligned with recommendations made in the existing 2005 guidance.

"The Supplement reiterates and reinforces the expectations described in the 2005 Guidance that financial institutions should perform periodic risk assessments and adjust their customer authentication, layered security, and other controls as appropriate in response to identified risks, including consideration of new and evolving threats to customers' online accounts," the draft reads. It identifies certain controls that should no longer be considered effective, specifies minimum control expectations for certain online activities, and sets forth two minimum components of an effective layered security program. It also identifies specific minimum elements that should be part of an institution's customer awareness and education program.

In issuing the supplement, the regulatory agencies acknowledge the evolution of online threats, as well as institutions' failure to abide by all aspects of the 2005 guidance - including periodic risk assessments and updates to control mechanisms.

The five areas singled out in the supplement under specific supervisory expectations include:

1. Risk Assessments

Risk assessments are addressed first in the draft, leveling some criticism at banking institutions for not being diligent about regular assessments.

"Examiners have noted that some institutions that were initially responsive in conforming with the 2005 Guidance have not updated their risk assessments and consequently not upgraded their authentication or other control techniques in response to relevant changes in the threat environment," the draft states.

The document says risk assessments should include regular reviews of internal systems, analyzing their abilities to:

Detect and thwart established threats, such as malware;

Respond to changes related to customer adoption of electronic banking;

2. Authentication for High-Risk Transactions

The FFIEC's definition of "high-risk transactions" remains unchanged. But the supplement does acknowledge that, since 2005, more consumers and businesses are conducting online transactions.

The draft distinguishes between consumer and commercial accounts when discussing potential high-risk transactions - a concession to recent commercial losses to ACH and wire fraud. Specific to commercial accounts, the document discusses online business transactions that generally involve ACH file origination and frequent interbank wire transfers. Because the frequency and dollar amounts of these transactions are generally higher, they pose a higher level of risk.

For these high-risk transactions, the FFIEC says: "Financial institutions should implement multifactor authentication and layered security, as described herein, consistent with the risk for covered business transactions."

3. Layered Security

Layered security includes different controls at different points in a transaction process. If one control or point is compromised, another layer of controls is in place to thwart or detect fraud. Agencies say they expect security programs to include, at minimum:

Processes designed to detect and effectively respond to suspicious or anomalous activity;

Enhanced controls for users who are granted administrative privileges to set up users or change system configurations, such as defined users, users' privileges, and application configurations and/or limitations.

The supplement is critical of how institutions have handled layered security to this point. "Based upon the incidents the Agencies have reviewed, manual or automated transaction monitoring/anomaly detection could have prevented many of the frauds, since the ACH/wire transfers being originated by the fraudsters were anomalous when compared with the customer's established patterns of behavior."

Among recommendations for layered security: Out-of-band authentication, verification or alerting.

4. Effectiveness of Authentication Techniques

Part of the layered security approach, the draft suggests, should include stronger device identification, which could include use of "one-time" cookies to create a more complex digital fingerprint of the PC by looking at characteristics such as PC configuration, Internet protocol address and geo-location.

Although no device authentication method can mitigate all threats, the supplement says, "the Agencies consider complex device identification to be more secure and preferable to simple device identification."

The need for stronger challenge questions is also noted, as yet another layer institutions can use to authenticate and identify a device and a user. Too much basic information - birthdates, birthplaces, family names - is already available via social networks, so challenge questions built around those answers are no longer deemed effective. Instead, the draft guidance recommends more sophisticated queries such as asking the user to name or list previously owned vehicles or registered domain names - questions an imposter would find difficult to answer.

5. Customer Education and Awareness

As part of the effort to educate consumer and commercial customers about fraud risks and security measures, the draft states financial institutions should explain what protections are and are not provided under Regulation E. The drafted guidance also suggests banking institutions offer:

An explanation of under what circumstances and through what means the institution may contact a customer and request the customer's electronic banking credentials;

A listing of alternative risk control mechanisms that customers may consider implementing to mitigate their own risk;

A listing of institutional contacts for customers' discretionary use in the event they notice suspicious account activity or experience customer information security-related events.

Stronger Fraud Detection

Beyond the supervisory expectations, the draft guidance includes an appendix that discusses the current threat landscape and compensating controls, including anti-malware software for customers, as well as transaction monitoring/anomaly detection software. "Similar to the manner in which the credit card industry detects and blocks fraudulent credit card transactions, systems are now available to monitor online banking systems for suspicious funds transfers," the draft notes.

The supplement also recommends out-of-band authentication for certain high value and/or anomalous transactions.

About the Author

A veteran journalist with more than 20 years' experience, Kitten has covered the financial sector for the last 13 years. Before joining Information Security Media Group in 2010, where she now serves as director of global events content and executive editor of BankInfoSecurity and CUInfoSecurity, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;

Enter your email address to reset your password

Already have anISMG account?

Forgot Your Password Message:

Contact Us

Already have anISMG account?

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.eu, you agree to our use of cookies.